Firewall/Security Group ports needed

[Matthew Halder]

I have a scenario where, when I open all TCP ports on the kewyhiz client and server, connections are allowed through.  However, when I remove the all TCP ports open rule the client cannot make a proper connection to the server and instead gives a "/bin/fusermount: failed to access mountpoint /secrets/kwfs: Transport endpoint is not connected ${timestamp} Mount fail: fusermount exited with code 256".  There is a rule to keep port 4444 open so a netcat to the keywhiz server on port 4444 succeeds during both scenarios.
I'm wondering if anybody knows the required ports on the server and host that need to be open to allow for the connection to succeed.  I'm currently adding and removing the "all TCP" rule from my security groups and monitoring the Flow Logs to find this information but nothing as stood out yet. 

[Matthew McPherrin]

kwfs just does an HTTPS GET to the server to 4444.

1- Make sure DNS/host resolution works?

2- TCP destination 4444 (Or whatever port you're running on, of course)

3- We don't specify a source port at all, I think, so you'll want to ensure you're not restricting that.

On Mon, Aug 22, 2016 at 9:19 AM, 'Matthew Halder' via keywhiz-users <keywhi...@googlegroups.com> wrote:

I have a scenario where, when I open all TCP ports on the kewyhiz client and server, connections are allowed through.  However, when I remove the all TCP ports open rule the client cannot make a proper connection to the server and instead gives a "/bin/fusermount: failed to access mountpoint /secrets/kwfs: Transport endpoint is not connected ${timestamp} Mount fail: fusermount exited with code 256".  There is a rule to keep port 4444 open so a netcat to the keywhiz server on port 4444 succeeds during both scenarios.
I'm wondering if anybody knows the required ports on the server and host that need to be open to allow for the connection to succeed.  I'm currently adding and removing the "all TCP" rule from my security groups and monitoring the Flow Logs to find this information but nothing as stood out yet. 

--
You received this message because you are subscribed to the Google Groups "keywhiz-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-users+unsubscribe@googlegroups.com.
To post to this group, send email to keywhi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/21e4d4ff-a3b9-400a-9b41-fe6cb766da1e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Matthew Halder]

I've been trying to use tcpdump to view the keywhiz clients connection attempts(with all TCP open from above) and something odd happens.  Initially the client can connect and access secrets so then I turn off keywhizfs on the client and turn on tcpdump (using -i, -vv, -n host ${keywhiz_client_IP}).  When tcpdump is running, the keywhiz client cannot connect and gets the same error as noted above (code 256).

[Matthew Halder]

Is it possible to configure the keywhizfs client to use a specific range of ports for connections?  That would be awesome

On Monday, August 22, 2016 at 11:57:10 AM UTC-6, Matthew McPherrin wrote:

kwfs just does an HTTPS GET to the server to 4444.

1- Make sure DNS/host resolution works?

2- TCP destination 4444 (Or whatever port you're running on, of course)

3- We don't specify a source port at all, I think, so you'll want to ensure you're not restricting that.

On Mon, Aug 22, 2016 at 9:19 AM, 'Matthew Halder' via keywhiz-users <keywhi...@googlegroups.com> wrote:

I have a scenario where, when I open all TCP ports on the kewyhiz client and server, connections are allowed through.  However, when I remove the all TCP ports open rule the client cannot make a proper connection to the server and instead gives a "/bin/fusermount: failed to access mountpoint /secrets/kwfs: Transport endpoint is not connected ${timestamp} Mount fail: fusermount exited with code 256".  There is a rule to keep port 4444 open so a netcat to the keywhiz server on port 4444 succeeds during both scenarios.
I'm wondering if anybody knows the required ports on the server and host that need to be open to allow for the connection to succeed.  I'm currently adding and removing the "all TCP" rule from my security groups and monitoring the Flow Logs to find this information but nothing as stood out yet. 

--
You received this message because you are subscribed to the Google Groups "keywhiz-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-user...@googlegroups.com.

[Matthew McPherrin]

We haven't done that. I'd accept a PR to do that, if it's valuable to you.

To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-users+unsubscribe@googlegroups.com.

To post to this group, send email to keywhi...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/479f1b9a-568f-4f22-87ac-35d828593e53%40googlegroups.com.

[Matthew Halder]

Seems fair, once I get this out of PoC and development phase that will be something I look at (seems like it fits our microservices model well to define ports but we'll see how much time is allotted for that).

On Monday, August 22, 2016 at 1:54:32 PM UTC-6, Matthew McPherrin wrote:

We haven't done that. I'd accept a PR to do that, if it's valuable to you.

On Aug 22, 2016 12:50 PM, "'Matthew Halder' via keywhiz-users" <keywhi...@googlegroups.com> wrote:

Is it possible to configure the keywhizfs client to use a specific range of ports for connections?  That would be awesome
On Monday, August 22, 2016 at 11:57:10 AM UTC-6, Matthew McPherrin wrote:

kwfs just does an HTTPS GET to the server to 4444.

1- Make sure DNS/host resolution works?

2- TCP destination 4444 (Or whatever port you're running on, of course)

3- We don't specify a source port at all, I think, so you'll want to ensure you're not restricting that.

On Mon, Aug 22, 2016 at 9:19 AM, 'Matthew Halder' via keywhiz-users <keywhi...@googlegroups.com> wrote:

I have a scenario where, when I open all TCP ports on the kewyhiz client and server, connections are allowed through.  However, when I remove the all TCP ports open rule the client cannot make a proper connection to the server and instead gives a "/bin/fusermount: failed to access mountpoint /secrets/kwfs: Transport endpoint is not connected ${timestamp} Mount fail: fusermount exited with code 256".  There is a rule to keep port 4444 open so a netcat to the keywhiz server on port 4444 succeeds during both scenarios.
I'm wondering if anybody knows the required ports on the server and host that need to be open to allow for the connection to succeed.  I'm currently adding and removing the "all TCP" rule from my security groups and monitoring the Flow Logs to find this information but nothing as stood out yet. 

--
You received this message because you are subscribed to the Google Groups "keywhiz-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-user...@googlegroups.com.
To post to this group, send email to keywhi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/21e4d4ff-a3b9-400a-9b41-fe6cb766da1e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "keywhiz-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-user...@googlegroups.com.
To post to this group, send email to keywhi...@googlegroups.com.